Network Security with Jamf and Cisco

What do you get when you combine Jamf Pro, macOS and Cisco’s Identity Services Engine (ISE)? At a minimum, a very happy customer. In today’s session, Liberty Mutual Insurance’s senior network engineer, Matt Vander Horst, and Cisco Advanced Threat Security’s principal engineer, Aaron Woland, shared how Liberty Mutual used Jamf and ISE to achieve the optimal management environment for their Apple devices.

The session started with a look at ISE, a context aware policy service that controls access and threats across wired, wireless and VPN networks.

“Managing that policy based on the level of trust is the purpose of the Identity Services Engine,” said Woland.

ISE use cases:

Visibility

Next generation access control

Software defined segmentation

Guest access

Simplified firewall rule management with TrustSec

Rapid threat containment

Ecosystem integration and context sharing

BYOD access control

Woland added that Cisco has 46,000 Macs managed with Jamf.

After laying the foundation of what ISE is and explaining the benefits it provides, Vander Horst and Woland explained how, when combined with Jamf, it created success at Liberty Mutual.

“We have Cisco wired and wireless networks, Identity Services Engine version 2, Jamf Pro and about 950 managed MacOS devices and growing,” Vander Horst explained, adding their Mac deployment continues to grow at the rate of around 40 devices per month.

While ISE supports integrations with a variety of mobile device management (MDM) solutions, Vander Horst said Liberty Mutual doesn’t use the native integration between ISE and Jamf. But for those who may be able to use it, he said it was worth discussing. “It offers some benefits, like easily making device registration and compliance information available in ISE policies, allowing network admins to use MDM functions like wiping devices, and so on,” he said. “It also doesn’t require any custom software development.”

Vander Horst continued by walking through the details of a native integration, stating, “So the native integration between ISE and Jamf is straightforward, but in an environment our size, we ran into some limitations.” They included: multiple MDMs with ISE; devices with more than two Mac addresses; and multiple types of managed devices. So what did they do.

“First, in Jamf, we established extension attributes and advanced computer searches to help us segment our devices,” Vander Horst explained. “Then, in ISE, we created identity groups for each device type so we could use those types in our policies. Finally, we tied it all together with the use of APIs and automation.”

After outlining, in detail, how they created, implemented and continue to successfully navigate their solution, which includes an “All Mac Addresses” attribute, “All Mac Addresses” script, “Developer Computer” attribute, “ISE Identity” groups, “JamfSync” and more, Vander Horst summarized their use of Jamf webhooks.

“JamfSync is good at keeping ISE and Jamf in line, but the downside is that it only runs every hour,” Vander Horst explained. “It’s really meant to keep things honest more than it’s meant to relay real-time changes.” He said the solution to this setback was to incorporate webhooks, which add devices to the appropriate ISE identity groups during enrollment while using the initial two Mac addresses captured by Jamf. After enrollment, if a device changes types, such as transitioning to a developer device, smart groups can trigger another webhook.

After reviewing more details of the provided solution, Vander Horst said, “It’s important to remember that all of what I’ve described simply allows ISE to know which Mac addresses re legitimate corporate Macs. We still require 802.1x authentication so we can get an Active Directory identity.”

After taking a brief look at the Cisco Security Connector, which creates visibility, control and privacy on iOS devices, Woland wrapped up the session with summary of the benefits of extended security for Apple devices. He said, “When an organization plans to mobilize its workforce, it looks for a platform that can support its new requirements. Apple and Cisco, working together, have added even more capabilities to enhance the integration of iOS devices into a company’s security approach.” He added, “Because while iOS devices are secure by design, the internet is not.”